115 browser design defects can cause remote theft of arbitrary files on the user's system

115 browser design defects can cause remote theft of arbitrary files on the user's system

This vulnerability was discovered two months ago .. I can only say that this is tricky to use... currently, 115 network disks must be forced to use 115 browsers before they can be logged on.

Detailed description:

Trigger with three defects

I:

The 115 browser integrates the 115 Network Disk and provides the function of directly logging on to the 115 account in the browser.

The upload function of the 115 network disk is added to the download module of the browser.

Users logging on to account 115 in a browser can directly upload local files to the Network Disk through the browser.

Analyze the reference of the chrome: // downloads/# upload function

http://2cto.com/static/browser/download/js/upload.js

Therefore, as long as the 115.com domain is obtained, chrome: // downloads/# upload may be operated.
First look at upload. js

Var init = function () {_ TCache. uploader = window ['uploadinter']; if (_ TCache. uploader) {UPLOAD_CONFIG_NEW.target = "u_00000"; UPLOAD_CONFIG_NEW ['use _ type'] = 2; UPLOAD_CONFIG_NEW ['file _ range'] = {"2": "0-67108864 ", "1": "67108864-0 "};...... install: function () {if (! Window ['uploadinterface']) {alert ('control not initialized '); return false;} return true ;}}......

Many of the methods in this section directly call the uploadInterface. CreateUploadDragTask method to upload files.

function (path, target) {  native function NativeCreateUploadDragTask();  return NativeCreateUploadDragTask(path, target);}

Targetworker optimize the upload_config_new.tar get = "u_00000" in the configuration ";
The directory ID of the online storage.

uploadInterface.CreateUploadDragTask("C:\/xxx","U_1_0")

In this way, the browser upload can be called.
 

Ii. Find the privileged domain after the method for uploading files is analyzed.

I just mentioned 115.com. I found a reflection xss directly on the main site.

http://2cto.com/xhprof/callgraph.php?run=xxx

But there is chrome's xss auditor

A bypass that has recently been reported by foreigners cannot be used.

This bypass has been used in the latest version of chrome, but it cannot be used in the 115 browser.
Later, @ phithon gave an old version of chrome's bypass. Because 115's built-in chrome version is old, the latest bypass does not apply to him.
The last bypass is because chrome does not detect the ISO-2022 character encoding.
So we can use the ISO-2022 code to bypass

http://2cto.com/xhprof/callgraph.php?run=%3Cmeta%20charset=ISO-2022-KR%3E%3Cimg%20src=1%20onerror%0f=alert(1)%3E

(This tip was proposed by foreigners three years ago and has already been fixed in chrome, but some browsers that use older chrome kernels may exist)
III:
The xss on the privileged domain is resolved. In addition, because files are uploaded to the network disk of the other account, we need to log on to the network disk of the other account to obtain the files we have stolen. I was trying to use xss to directly access cookies and log on to another person's network disk to get the stolen items, but I found that httponly was enabled in 115.

Then I found a place where I could break through httponly in a few days, but I couldn't find it. later I thought of a very tricky method. I changed the Network Disk account that the other party logged on to my Network Disk account, so that I could not get the stolen files.
Here we want to use csrf to log on to our account, and we do not need to analyze the 115 login encryption algorithm.
Capture packets directly during login

Write all fields as a form for automatic submission

Proof of vulnerability:

Finally, EXP is given:

All fields in the preceding form must be replaced by a packet capture. The generated login package data is valid for a long time and will not expire in a short period of time. You can use the login again.

The file in the specified path is successfully stolen.

Put the code on my server by the way.

Test address: http://115browser.com/115_getfile_wooyun.html

Solution:

1. Repair the XSS of the main site;

2. Strengthen border permission control.